Cross Realm SMB Signature Failure

Dave Daugherty dave.daugherty at
Fri May 4 03:21:30 GMT 2007

Saw similar behavior a couple of years back with a windows 2000 server,
and a different smb client I was working on.  I just worked around it by
checking specifically if my signed messages were being reflected and
lived with it.  On the otherhand the Windows server really wanted the
client to sign :)

Someone else posted this failure mode about a month ago, but once again
not as complicated a setup as yours. So it's a mystery.

I think the signing key is communicated in the AP_REP coming back from
the server.  Maybe the Windows server does not like something about the
AP_REQ packet.

Are you running the latest MIT Kerberos libraries?

Dave Daugherty

-----Original Message-----
From: at
[ at lists.samba.
org] On Behalf Of Michael B Allen
Sent: Thursday, May 03, 2007 7:54 PM
To: samba-technical at
Subject: Cross Realm SMB Signature Failure

When smbclient authenticates across realms (from MIT realm S.W.NET to
W2K3 realm W.NET) I'm seeing the server is just echoing back the same
signature sent by client. That signature of couse fails verification:

$ kinit -f ioplex at S.W.NET
Password for ioplex at S.W.NET: 
$ smbclient -k -U ioplex //
signing_good: BAD SIG: seq 1
SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!

If I use a W.NET cred it works fine and ssh works in the other direction
so I think the trust is good.

All enctypes are RC4. Haven't updated the W2K3 server since installing
it. Trying that now ...

I'm using stock 3.0.23c-2 on CentOS 5.0 with an unmodified smb.conf.

Has anyone seen this before?


More information about the samba-technical mailing list